Common Weakness Enumeration

CWE-347

Allowed

Improper Verification of Cryptographic Signature

Abstraction: Base · Status: Draft

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

1126 vulnerabilities reference this CWE, most recent first.

GHSA-CHQ4-235Q-JP7W

Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2026-06-09 12:32
VLAI
Details

An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59719"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T18:15:55Z",
    "severity": "CRITICAL"
  },
  "details": "An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.",
  "id": "GHSA-chq4-235q-jp7w",
  "modified": "2026-06-09T12:32:00Z",
  "published": "2025-12-09T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59719"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-864900.html"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-647"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CHW7-Q7HH-9VC2

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-07-11 00:00
VLAI
Details

Union Pay up to 1.2.0, for web based versions contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants' websites and mobile apps, via a crafted authentication code (MAC) which is generated based on a secret key which is NULL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-23533"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-06T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Union Pay up to 1.2.0, for web based versions contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants\u0027 websites and mobile apps, via a crafted authentication code (MAC) which is generated based on a secret key which is NULL.",
  "id": "GHSA-chw7-q7hh-9vc2",
  "modified": "2022-07-11T00:00:18Z",
  "published": "2022-05-24T17:46:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23533"
    },
    {
      "type": "WEB",
      "url": "https://cwe.mitre.org/data/definitions/347.html"
    },
    {
      "type": "WEB",
      "url": "https://www.dropbox.com/s/6smwnbrp0kgsgrc/poc_code.py?dl=0"
    },
    {
      "type": "WEB",
      "url": "https://www.dropbox.com/s/czbkdr73tclq2nr/UnionPay_Vulnerability_Report.txt?dl=0"
    },
    {
      "type": "WEB",
      "url": "http://mobitec.ie.cuhk.edu.hk/cve_2020"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJ56-5C53-9QJF

Vulnerability from github – Published: 2026-06-25 18:30 – Updated: 2026-06-26 18:33
VLAI
Details

wolfSSL_PKCS7_verify() returning success for a degenerate (certs-only) PKCS#7 object that contains no signer. Such an object has empty signerInfos, so the underlying signed-data verification succeeds without authenticating any content. The compatibility-layer verify path now rejects the object when no signer signature has actually been verified, so a PKCS#7 carrying no valid signature is no longer reported as verified. This is enforced regardless of the PKCS7_NOVERIFY flag, which only suppresses signer certificate chain validation and was never intended to waive the requirement that a signature exist. Only affects OpenSSL compatibility builds that call the PKCS7_verify() compatibility API on potentially degenerate PKCS#7 bundles.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-55961"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T18:16:41Z",
    "severity": "HIGH"
  },
  "details": "wolfSSL_PKCS7_verify() returning success for a degenerate (certs-only) PKCS#7 object that contains no signer. Such an object has empty signerInfos, so the underlying signed-data verification succeeds without authenticating any content. The compatibility-layer verify path now rejects the object when no signer signature has actually been verified, so a PKCS#7 carrying no valid signature is no longer reported as verified. This is enforced regardless of the PKCS7_NOVERIFY flag, which only suppresses signer certificate chain validation and was never intended to waive the requirement that a signature exist. Only affects OpenSSL compatibility builds that call the PKCS7_verify() compatibility API on potentially degenerate PKCS#7 bundles.",
  "id": "GHSA-cj56-5c53-9qjf",
  "modified": "2026-06-26T18:33:49Z",
  "published": "2026-06-25T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55961"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wolfSSL/wolfssl/pull/10702"
    },
    {
      "type": "WEB",
      "url": "https://www.wolfssl.com/docs/security-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CM49-FH74-75CH

Vulnerability from github – Published: 2022-11-10 12:01 – Updated: 2022-11-23 15:30
VLAI
Details

Insufficient verification of multiple header signatures while loading a Trusted Application (TA) may allow an attacker with privileges to gain code execution in that TA or the OS/kernel.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-26391"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-09T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Insufficient verification of multiple header signatures while loading a Trusted Application (TA) may allow an attacker with privileges to gain code execution in that TA or the OS/kernel.",
  "id": "GHSA-cm49-fh74-75ch",
  "modified": "2022-11-23T15:30:22Z",
  "published": "2022-11-10T12:01:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26391"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1029"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CMJG-6Q27-6FR4

Vulnerability from github – Published: 2026-07-07 12:31 – Updated: 2026-07-07 12:31
VLAI
Details

Improper verification of cryptographic signature vulnerability in HAVELSAN Inc. Liman MYS allows Fake the Source of Data.

This issue affects Liman MYS: before release.Master.1107.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11348"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-07T12:16:28Z",
    "severity": "HIGH"
  },
  "details": "Improper verification of cryptographic signature vulnerability in HAVELSAN Inc. Liman MYS allows Fake the Source of Data.\n\nThis issue affects Liman MYS: before release.Master.1107.",
  "id": "GHSA-cmjg-6q27-6fr4",
  "modified": "2026-07-07T12:31:36Z",
  "published": "2026-07-07T12:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11348"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0504"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CP57-FQ8G-QH6V

Vulnerability from github – Published: 2026-03-26 18:00 – Updated: 2026-03-26 18:00
VLAI
Summary
libcrux has an Incorrect Check of Signer Response Norm During Verification
Details

The ML-DSA verification algorithm as specified in FIPS 204, subsection 6.3 requires verifiers to check that the infinity norm of the deserialized signer response $z$ does not exceed $\gamma_1 - \beta$ (line 13 of Algorithm 8). The same check is required to be performed during signature generation.

libcrux-ml-dsa did not perform this check correctly during signature verification, accepting signatures with signer response norm above the allowed maximum value. The check is correctly performed during signing.

Impact

Applications using libcrux-ml-dsa for signature verification would have accepted signatures that would be rejected by a conforming implementation.

Mitigation

Starting from version 0.0.8, signature verification uses the correct value for $\gamma_1$ in the signer response norm check.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "libcrux-ml-dsa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T18:00:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The ML-DSA verification algorithm as specified in [FIPS 204, subsection 6.3](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#subsection.6.3) requires verifiers to check that the infinity norm of the deserialized signer response $z$ does not exceed $\\gamma_1 - \\beta$ (line 13 of Algorithm 8). The same check is required to be performed during signature generation.\n\nlibcrux-ml-dsa did not perform this check correctly during signature verification, accepting signatures with signer response norm above the allowed maximum value. The check is correctly performed during signing.\n\n## Impact\nApplications using libcrux-ml-dsa for signature verification would have accepted signatures that would be rejected by a conforming implementation.\n\n## Mitigation\nStarting from version `0.0.8`, signature verification uses the correct value for $\\gamma_1$ in the signer response norm check.",
  "id": "GHSA-cp57-fq8g-qh6v",
  "modified": "2026-03-26T18:00:28Z",
  "published": "2026-03-26T18:00:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cryspen/libcrux/pull/1347"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cryspen/libcrux"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0077.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "libcrux has an Incorrect Check of Signer Response Norm During Verification"
}

GHSA-CPPW-2MF8-QPM5

Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2024-09-24 15:48
VLAI
Summary
Improper Verification of Cryptographic Signature in matrix-synapse
Details

Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "matrix-synapse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-18835"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-19T19:32:08Z",
    "nvd_published_at": "2019-11-08T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over `/send_join`, `/send_leave`, and `/invite` may not be correctly signed, or may not come from the expected servers.",
  "id": "GHSA-cppw-2mf8-qpm5",
  "modified": "2024-09-24T15:48:55Z",
  "published": "2022-05-24T22:01:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18835"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/pull/6262"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/commit/172f264ed38e8bef857552f93114b4ee113a880b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/matrix-org/synapse"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/releases/tag/v1.5.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-186.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper Verification of Cryptographic Signature in matrix-synapse"
}

GHSA-CQGF-G3QQ-HHXW

Vulnerability from github – Published: 2023-11-14 21:31 – Updated: 2025-02-13 18:32
VLAI
Details

Improper signature verification of RadeonTM RX Vega M Graphics driver for Windows may allow an attacker with admin privileges to launch RadeonInstaller.exe without validating the file signature potentially leading to arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20568"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-14T19:15:15Z",
    "severity": "MODERATE"
  },
  "details": "Improper signature verification of RadeonTM RX Vega M Graphics driver for Windows may allow an attacker with admin privileges to launch RadeonInstaller.exe without validating the file signature potentially leading to arbitrary code execution.",
  "id": "GHSA-cqgf-g3qq-hhxw",
  "modified": "2025-02-13T18:32:03Z",
  "published": "2023-11-14T21:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20568"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-6003"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00971.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQVM-J2R2-HWPG

Vulnerability from github – Published: 2023-03-17 14:42 – Updated: 2023-03-17 14:42
VLAI
Summary
russh may use insecure Diffie-Hellman keys
Details

Summary

Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality.

Details

Russh does not validate Diffie-Hellman keys.

It accepts received DH public keys $e$ where $e<0$, $e=1$, or $e \geq p-1$ from a misbehaving peer annd successfully performs key exchange.

This is a violation of RFC 4253, section 8 and RFC 8268, section 4, which state that:

DH Public Key values MUST be checked and both conditions:

  • $1 < e < p-1$
  • $1 < f < p-1$

MUST be true. Values not within these bounds MUST NOT be sent or accepted by either side. If either one of these conditions is violated, then the key exchange fails.

For example, a DH client public key $e=1$ would mean that the shared secret that the server calculates is always $K = e^y \mod{p} = 1^y \mod{p} = 1$. In other cases, an insecure order-2 subgroup may be used.

Also, the code does not look like it ensures that the generated secret key $y$ is in the valid interval $0 < y < q$ (or, if russh is the client, that the secret key $x$ satisfies $1 < x < q$): https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76 For example, rng.gen_biguint() might return a number consisting of zeroes, so that $y = 0$.

The public key is not validated either: https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81

Impact

Due to the issues in the DH key generation, I think any connection that uses Diffie-Hellman key exchange is affected. Connections between a russh client and server or those of a russh peer with some other misbehaving peer are most likely to be problematic. These may vulnerable to eavesdropping.

Most other implementations reject such keys, so this is mainly an interoperability issue in such a case.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "russh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.36.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "russh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.37.0"
            },
            {
              "fixed": "0.37.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28113"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-17T14:42:45Z",
    "nvd_published_at": "2023-03-16T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nDiffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality.\n\n### Details\n\nRussh does not validate Diffie-Hellman keys.\n\nIt accepts received DH public keys $e$ where $e\u003c0$, $e=1$, or $e \\geq p-1$ from a misbehaving peer annd successfully performs key exchange.\n\nThis is a violation of [RFC 4253, section 8](https://www.rfc-editor.org/rfc/rfc4253#section-8) and [RFC 8268, section 4](https://www.rfc-editor.org/rfc/rfc8268#section-4), which state that:\n\n\u003eDH Public Key values MUST be checked and both conditions:\n\u003e\n\u003e - $1 \u003c e \u003c p-1$\n\u003e - $1 \u003c f \u003c p-1$\n\u003e\n\u003e MUST be true.  Values not within these bounds MUST NOT be sent or\n\u003e accepted by either side.  If either one of these conditions is\n\u003e violated, then the key exchange fails.\n\nFor example, a DH client public key $e=1$ would mean that the shared secret that the server calculates is always $K = e^y \\mod{p} = 1^y \\mod{p} = 1$.\nIn other cases, an insecure order-2 subgroup may be used.\n\nAlso, the code does not look like it ensures that the generated secret key $y$ is in the valid interval $0 \u003c y \u003c q$ (or, if russh is the client, that the secret key $x$ satisfies $1 \u003c x \u003c q$):\nhttps://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76\nFor example, `rng.gen_biguint()` might return a number consisting of zeroes, so that $y = 0$.\n\nThe public key is not validated either:\nhttps://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81\n\n### Impact\n\nDue to the issues in the DH key generation, I think any connection that uses Diffie-Hellman key exchange is affected.\nConnections between a russh client and server or those of a russh peer with some other misbehaving peer are most likely to be problematic. These may vulnerable to eavesdropping.\n\nMost other implementations reject such keys, so this is mainly an interoperability issue in such a case.\n",
  "id": "GHSA-cqvm-j2r2-hwpg",
  "modified": "2023-03-17T14:42:45Z",
  "published": "2023-03-17T14:42:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28113"
    },
    {
      "type": "WEB",
      "url": "https://github.com/warp-tech/russh/commit/45d2d82930bf4a675bd57abfafec8fe4065befcd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/warp-tech/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/warp-tech/russh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76"
    },
    {
      "type": "WEB",
      "url": "https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81"
    },
    {
      "type": "WEB",
      "url": "https://github.com/warp-tech/russh/releases/tag/v0.36.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/warp-tech/russh/releases/tag/v0.37.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "russh may use insecure Diffie-Hellman keys"
}

GHSA-CQVV-R3G3-26RF

Vulnerability from github – Published: 2023-10-23 03:30 – Updated: 2023-10-31 22:07
VLAI
Summary
free5GC udm vulnerable to Invalid Curve Attack
Details

pkg/suci/suci.go in free5GC udm before 1.2.0, when Go before 1.19 is used, allows an Invalid Curve Attack because it may compute a shared secret via an uncompressed public key that has not been validated. An attacker can send arbitrary SUCIs to the UDM, which tries to decrypt them via both its private key and the attacker's public key.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/free5gc/udm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-46324"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327",
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-24T02:00:10Z",
    "nvd_published_at": "2023-10-23T01:15:07Z",
    "severity": "HIGH"
  },
  "details": "pkg/suci/suci.go in free5GC udm before 1.2.0, when Go before 1.19 is used, allows an Invalid Curve Attack because it may compute a shared secret via an uncompressed public key that has not been validated. An attacker can send arbitrary SUCIs to the UDM, which tries to decrypt them via both its private key and the attacker\u0027s public key.",
  "id": "GHSA-cqvv-r3g3-26rf",
  "modified": "2023-10-31T22:07:50Z",
  "published": "2023-10-23T03:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46324"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/udm/pull/20"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/udm/commit/5e1479cc686f058992557669b13fd3761a1b6024"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/free5gc/udm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/udm/compare/v1.1.1...v1.2.0"
    },
    {
      "type": "WEB",
      "url": "https://www.gsma.com/security/wp-content/uploads/2023/10/0073-invalid_curve.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "free5GC udm vulnerable to Invalid Curve Attack"
}

No mitigation information available for this CWE.

CAPEC-463: Padding Oracle Crypto Attack

An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.